The Internal Revenue Service, which disclosed this week the breach of 100,000 taxpayer accounts, has been steadily reducing the size of its internal cybersecurity staff as it increases its security spending. This may seem paradoxical, but one observer suggested it could signal a shift to outsourcing.

In 2011, the IRS employed 410 people in its cybersecurity organization, but by 2014 the headcount had fallen by 11% to 363 people, according to annual reports about IRS information technology spending by the U.S. Treasury Department Inspector General.

Data from the 2011 edition of the U.S. Treasury Inspector General’s Annual Assessment of the Internal Revenue Service Information Technology Program. MITS stands for the IRS’s Modernization and Information Technology Services Division.

Despite this staff reduction, the IRS has increased spending in its cybersecurity organization. In 2012, the IRS earmarked $129 million for cybersecurity, which rose to $141.5 million last year, an increase of approximately 9.7%.

This increase in spending, coupled with the reduction in headcount, is an indicator of outsourcing, said Alan Paller, director of research at the SANS Institute. Paller sees risks in that strategy.

"Each organization moves at a different pace toward a point at which they have outsourced so much that the insiders do little more than manage contracts, and lose their technical expertise and ability to manage technical contractors effectively," said Paller.

Data from the 2014 edition of the U.S. Treasury Inspector General’s Annual Assessment of the Internal Revenue Service Information Technology Program. MITS stands for the IRS’s Modernization and Information Technology Services Division.

An IRS spokesman was not able to immediately answer questions about the IRS's cybersecurity spending.

There is no apparent connection between IRS technology budget, staffing levels and the recently revealed data breach. The thieves used individual data, such as Social Security numbers collected from non-IRS sources, to access IRS records. The IRS has described the attack as "sophisticated" and it's now under investigation.

This breach is drawing congressional scrutiny. On Tuesday, U.S. Senator Orrin Hatch (R-Utah), who heads the Senate Finance Committee, called the breach "unacceptable."

The IRS's total IT budget in 2014 was $2.5 billion, an increase from the prior year's $2.3 billion, with 7,339 employees last year, little change from 7,303 reported in 2013.

The agency's IT budget has fared better than the agency overall. Congress has been cutting spending at the agency. IRS funding has been reduced by $1.2 billion over the last five years, from $12.1 billion in 2010 to $10.9 billion this year. An IRS official told lawmakers earlier this year that the budget cuts have delayed critical IT investments of more than $200 million, which includes replacing aging IT systems.

"We still have applications that were running when John F. Kennedy was president," said IRS commissioner John Koskinen earlier this year. He warned that the failure to upgrade systems exposes the IRS to "to more system failures and potential security breaches."

The Center on Budget and Policy Priorities, a non-partisan research group, reported in April that the IRS budget had been cut 18% since 2010, when adjusted for inflation. Its headcount has declined from more than 94,000 to just above 81,000 over that period.

This story, "IRS cut its cybersecurity staff by 11% over four years" was originally published by
Computerworld.